#tor-meeting log

16:00:22 <onyinyang> #startmeeting tor anti-censorship meeting
16:00:22 <MeetBot> Meeting started Thu Jul 24 16:00:22 2025 UTC.  The chair is onyinyang. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:22 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:00:22 <onyinyang> hello everyone!
16:00:22 <onyinyang> here is our meeting pad: [https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469](https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469)
16:00:31 <meskio> hello
16:01:00 <dan_b> oh hey, i'm crashing this meeting 🙂
16:01:06 <shelikhoo> hi~hi~
16:01:10 <cohosh> hi
16:01:13 <onyinyang> dan_b, welcome! :d
16:01:17 <onyinyang> :D
16:01:36 <meskio> dan_b: I hope you brought drinks
16:01:40 <dan_b> hahaha
16:01:56 <onyinyang> our agenda is pretty empty but I'll give everyone a few minutes in case there are any late comers :)
16:02:04 <shelikhoo> thanks dan_b, here is your crash link: chrome://crash
16:02:16 <dan_b> oh interesting, is the pad locked on whom can edit?
16:02:56 <onyinyang> yes, I can send you a link if you need to edit the pad
16:03:09 <meskio> we've being getting trolls on the pad
16:03:17 <dan_b> oph
16:03:18 <meskio> we share the link on private, I just sent it to you
16:03:22 <dan_b> cool
16:03:25 <shelikhoo> onyinyang: i have assigned you as an reviewer of Add Domain Fronting Test Support to probeobserver https://gitlab.torproject.org/tpo/anti-censorship/connectivity-measurement/probeobserver/-/merge_requests/8
16:03:43 <shelikhoo> I can reassign it if you like
16:03:45 <onyinyang> shelikhoo, ok, I'll take a look
16:03:48 <shelikhoo> or wants to
16:03:54 <shelikhoo> feel free to assign it someone else
16:06:13 <onyinyang> ok
16:06:57 <meskio> maybe we can talk about dan_b's TorVPN topic
16:07:06 <dan_b> alright!
16:07:07 <dan_b> so
16:07:17 <dan_b> we're planning a 3 pronged distribution
16:07:30 <dan_b> torproject.org download, google play store, and fdroid
16:07:38 <dan_b> so the matter of signing apps arose
16:07:43 <dan_b> and it's complex
16:07:54 <dan_b> https://gitlab.torproject.org/tpo/applications/vpn/-/issues/244#note_3227570
16:08:01 <dan_b> here was the summary in gitlab
16:08:07 <dan_b> but basically
16:08:24 <dan_b> when apps from different distribution channels are signed with the same key, you can like "side grade" them?
16:08:41 <dan_b> so if we shared signing keys with google, and you initially got tor vpn from play store
16:08:48 <dan_b> but then say your internet was getting blocked
16:08:58 <dan_b> and Tor gave you a new experimental copy via another channel
16:09:06 <dan_b> if they shared signing keys, they could just install that on top
16:09:18 <dan_b> if they dont share signing keys, they'd have to uninstall, lose settings, install the new one
16:09:27 <meskio> nice, so we can also distribute it over gettor and other channels :)
16:09:39 <dan_b> the problem with google is they demnand to do the signing for what they distribute
16:09:45 <dan_b> which means giving them a copy of the keys
16:09:46 <shelikhoo> Do they have to share the same appid?
16:09:51 <dan_b> we in the meeting leaned away from that
16:09:59 <shelikhoo> can we have something like org.tor.googlever
16:09:59 <meskio> wow, so they have the private key?
16:10:02 <dan_b> and picked a stratgy of let google do the signing itself with their own keys
16:10:11 <shelikhoo> org.tor.apkrelease
16:10:14 <dan_b> and we then distribute on torproject.org one signed with our own
16:10:24 <shelikhoo> org.tor.fdroidver
16:10:34 <dan_b> and also fdroid has a mechanism where if they confirm reproducibility, they'll distribute the one we publish, so signed with our key
16:10:43 <shelikhoo> so they cannot upgrade to each other
16:10:51 <dan_b> so this means that we'll be able to distribute side-grade options with fdroid, but not google play store
16:11:01 <shelikhoo> but, user can install each version of them independently
16:11:10 <dan_b> they all have the same appid
16:11:11 <dan_b> so no
16:11:16 <dan_b> as it currently stands
16:11:30 <dan_b> we'd not have that option for folks who get their tor vpn from play store
16:11:45 <dan_b> the meeting had no representation from anti censorship or community
16:12:03 <dan_b> so we all focused more on the uncomfort and potential risk of sharing signing keys with google
16:12:14 <meskio> I understand
16:12:17 <dan_b> and decided that "we" could live with this side effect
16:12:21 <shelikhoo> If I were to publish such an app, I would make app from different distribution channel a "different" app
16:12:25 <dan_b> but we wanted to actually check in with anticensorship
16:12:36 <dan_b> incase you all wanted to flag that as a bigger concern than we could see
16:12:51 <shelikhoo> with different appid, so that they won't conflict with each other
16:12:55 <dan_b> and or just to inform so we can strategize accordingly for launch and after and docs and etc
16:13:17 <meskio> I guess this problem already exist with TBA, isn't it?
16:13:29 <dan_b> TBA is a grandfathered in case
16:13:33 <meskio> we do distribute TBA over gettor, and I haven't heard complains about upgrades
16:13:40 <dan_b> it's "old" and so we can actaully push our self signed .apks
16:13:59 <meskio> ohhh, I see, is a new rule for google play to demand the private key
16:14:03 <dan_b> that has other limits, there's a hard size limit for that legacy path (in part cus they want ppl to upgrade to the new path)
16:14:05 <shelikhoo> yes!
16:14:08 <dan_b> yes
16:14:15 <shelikhoo> google wants your private key
16:14:31 <meskio> that is fucked up
16:14:34 <dan_b> and on android as everything grows from firefox android to the PTs it's harder, there may come a time we have to revisit that
16:14:49 <dan_b> meskio: yes, those words and others were used in the meeting as well
16:14:59 <meskio> :)
16:15:07 <dan_b> but like, you could just generate a new one for that app... but yeah. its just... not great
16:15:48 <dan_b> shelikhoo: that is an interesting idea, i will make a note to investigate to see how easy it would be to use a seperate appid for google
16:16:05 <dan_b> then they could be installed side by side, but the settings wouldnt migrate over
16:16:26 <dan_b> does that seem like it would still be a minor benifit to pursue?
16:16:50 <shelikhoo> dan_b: alternatively, we can make backup settings really easy
16:16:58 <shelikhoo> like just 2 click away
16:17:00 <dan_b> yes, that was also raised to investigate
16:17:19 <dan_b> but the initial launch of the beta is locked in already for next month so it might be a fast follow and not launch item
16:17:35 <meskio> sounds reasonable
16:17:45 <dan_b> https://gitlab.torproject.org/tpo/applications/vpn/-/issues/319
16:17:54 <shelikhoo> yes... it could be used to move settings between different version of apps
16:18:00 <dan_b> was created yesterday as feedback and mitigation from the meeting on this topic
16:18:15 <shelikhoo> I can also comment on this issue later with more details of split appid idea
16:18:17 <dan_b> currently not tagged for the beta release
16:18:28 <shelikhoo> over
16:18:42 <dan_b> cool. I'll also do some research to see how feasible/easy it would be
16:18:53 <dan_b> i think we do something like that for TB for the alpha / nightly / release channel
16:18:58 <meskio> I think is fine if users need to reinstall to ugprade, sadly users in censored areas are used to suffer some pain
16:19:07 <dan_b> haaaaa ok
16:19:37 <dan_b> thanks. and so yeah I was dispatched too just to get this on all your radars 🙂
16:19:48 <onyinyang> thanks for bringing this up to us dan_b
16:20:00 <onyinyang> interesting/horrifying
16:20:02 <dan_b> my pleasure!
16:20:03 <dan_b> ha yessssss
16:20:17 <shelikhoo> haaaaa thanks dan_b
16:20:18 <dan_b> ok that's all i have
16:20:19 <meskio> dan_b: will TorVPN releases be advertized in the same json than TB releases?
16:20:30 <dan_b> oooh, which json?
16:20:48 <meskio> I mean https://aus1.torproject.org/torbrowser/update_3/release/
16:21:01 <meskio> we use that in gettor
16:21:16 <meskio> or something similar that we can use in gettor?
16:21:20 <dan_b> what is gettor?
16:21:33 <dan_b> that currently isnt on my radar
16:21:38 <meskio> gettor is a way to get TorBrowser over email or telegram
16:21:42 <dan_b> ooooh
16:21:59 <dan_b> https://gitlab.torproject.org/tpo/applications/vpn/-/issues/244
16:22:02 <meskio> the telegram one is very much used
16:22:04 <dan_b> here is the parent issue i'm working from
16:22:20 <dan_b> could you drop a note about gettor and the json file and how it's generated or populated
16:22:29 <meskio> yes, I'll add a note about it
16:22:29 <dan_b> so I can track that and see if I can make that happen then?
16:22:34 <dan_b> awesome thanks!!
16:23:17 <dan_b> it's kinda of a mess of a ticket, and some sub tickets have belatedly been spun off to track tasks 🙂 but that's the "epic" i guess, and I can make new tasks from that later
16:23:45 <meskio> cool, we can coordinate there and create issues as needed
16:23:57 <meskio> we'll also need an issue in our side to add support for TorVPN in gettor
16:25:00 <dan_b> ok cool, can you link to the repo in your post (for tor-browser even tho we have/had a bunch of repos we tracked all the issues just in the TB one, not sure if your team does the same)
16:25:49 <meskio> sure, I'll link the gettor repos (is actually two different things for email and telegram)
16:25:57 <dan_b> aaaah k
16:27:30 <onyinyang> anything else to discuss on this topic?
16:27:35 <meskio> not from me
16:27:36 <shelikhoo> eof from me
16:27:59 <dan_b> nope i'm good, thanks all! making comments on tickets now (shelikhoo I'm about to mention your seperate appid idea 🙂 )
16:28:10 <onyinyang> great!
16:28:13 <onyinyang> ok, we don't have any other topics today, just some interesting links from FOCI and PETS last week
16:28:23 <onyinyang> maybe we'd like to make a reading group for one of them?
16:28:35 <onyinyang> Or anything else from the conferences last week that was interesting?
16:28:41 <shelikhoo> nice! I will have a look and maybe add some details
16:28:48 <dan_b> shelikhoo do you want to be tagged in the issue, and what's your gitlab handle if so?
16:28:55 <shelikhoo> @shelikhoo
16:28:59 <shelikhoo> please tag me
16:29:20 <meskio> maybe we can discuss theodorsm paper in a reading group
16:29:31 <meskio> I'm also interested in the FOCI's one about ECH
16:30:00 <dcf1> the ECH one is good
16:30:04 <shelikhoo> so many great papers
16:30:24 <meskio> https://www.petsymposium.org/foci/2025/foci-2025-0016.pdf
16:30:33 <meskio> ^- the ECH paper I talk about
16:31:05 <meskio> CenPush was not in my radar, I should check it out, thanks
16:31:19 <meskio> so what do we want to read as a reading group?
16:31:53 <cohosh> i'll second the ECH one, i think it's good to be aware of
16:32:03 <meskio> ok, let's do that one
16:32:22 <meskio> checking the calendar the next meeting that none of us is AFK is August 14
16:32:26 <meskio> am I correct?
16:33:01 <cohosh> that should work for me
16:33:06 <onyinyang> me too
16:33:25 <shelikhoo> should work for me
16:33:27 <shelikhoo> as well
16:34:15 <meskio> nice, we have a date and a paper :)
16:34:41 <onyinyang> good work everyone XD
16:34:49 <onyinyang> I guess that's all for today
16:34:54 <meskio> yep
16:35:12 <onyinyang> thanks for the discussion! :)
16:35:13 <onyinyang> #endmeeting